One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may not “discriminate” against consumers for exercising certain rights under the CCPA, and they will need to assess whether and how they can require consumers to accept certain data practices as a condition of service. Compliance would be challenging even if the provision were articulated clearly, but as we have discussed in this blog series, the accelerated drafting process and passage of the CCPA earlier this year left little time for public comment and responsive amendments. As a result, the law includes a series of ambiguities that complicate compliance, and nowhere is that more apparent than in the anti-discrimination provision.

This entry in Hogan Lovells’ ongoing series on the CCPA focuses on the law’s anti-discrimination clause, its ambiguities and potentially contradictory provisions, and impact on businesses.

1. The Prohibition on Discrimination

Section 1798.125 of the CCPA prohibits a business from discriminating against California consumers for exercising certain rights under the law. Those rights include requests to access personal information, to delete information, and to opt out of the sale of personal information.

The statutory language specifies that discrimination includes, but is not limited to:

(a) denying goods or services to consumers;

(b) charging different prices or rates for goods or services, including through the use of discounts, benefits, or other penalties;

(c) providing a different level or quality of goods or services; and

(d) suggesting that a consumer will receive a different price or quality of goods or services if the consumer exercises rights under the law.

The CCPA provides certain exceptions to the general prohibition on discrimination. Businesses may charge consumers different prices or offer different levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” The CCPA also permits businesses to offer financial incentives—including payments to consumers as compensation for the collection, sale, or deletion of personal information—if the programs are not “unjust, unreasonable, coercive, or usurious in nature,” and if businesses notify consumers of these financial incentives, obtain opt in consent prior to enrolling a consumer in a financial incentive program, and provide consumers with the opportunity to revoke consent for such programs at any time.

The language suggests that the CCPA was intended to allow businesses to offer tiered pricing or service levels so long as the differences are reasonable or supported with affirmative consent. However, as you delve deeper, the provisions for engaging in such activities require further analysis.

2. The Financial Incentive Provision is in Need of Further Clarification

The CCPA generally prohibits discrimination against those who opt out of the sale of personal information or otherwise exercise a right under the law. But the law expressly allows businesses to offer reasonable financial incentive programs on an opt-in basis, as long as consumers can opt out and withdraw consent for such programs.

If a consumer opts out of a financial incentive program, they have exercised a right under the CCPA. But can a business impose consequences for opting out of a financial incentive program to which a consumer has previously consented after being presented with the material terms of the program?

Looking at the statutory language, there is no clear answer. Although the CCPA expressly supports financial incentive programs, there is a general prohibition on discriminating against consumers for exercising their CCPA rights. So, the lawfulness of financial incentive programs may turn on whether the consequences of opting out are reasonable, as reasonableness is viewed under the CCPA.

3. The Challenge of Calculating the Value of the Data to the Consumer

Prohibited discrimination under the CCPA includes offering different prices, qualities of goods, or levels of service. But businesses are permitted to offer different prices or levels of service, if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” This leads to the question, “What is the value provided to the consumer by the consumer’s data?”

There is no single standard or process via which to measure the value of consumer data to each consumer. Are businesses supposed to gauge the value of the data to a reasonable consumer? Or must the value be assessed for each individual consumer? The value of data to a consumer may be highly context-driven. Absent clear guidance on how to calculate the value, businesses face a high degree of uncertainty.

Some have argued, including law professor Eric Goldman, that this language may have been a drafting error. And that a more appropriate measurement should be the value provided to the business, suggesting that discounts or incentives directly related to that value provided to the business would be permitted. If the law were written this way, it would preserve commonly used discounting programs.

4. The Practical Impacts on Businesses’ Data Sharing Relationships

As discussed in our previous post, in light of the broad definition of “sale,” consumers’ right to opt out of the sale of their personal information could disrupt many existing data sharing relationships. Businesses or affiliates exchanging data about their mutual customers, even as part of a broader relationship, could potentially be viewed as engaging in a “sale” if it could be viewed as in exchange for “other valuable consideration.” Such “sale” transfers would therefore be subject to consumer opt out. And this broadly framed right to opt out of the sale of personal information, combined with the anti-discrimination provision, has the potential to significantly impact data-supported business models.

For example, a consumer could sign up for a free or discounted ad-supported version of a service and then opt out from the business’s provision of their personal data to the advertisers that make the service financially viable. But if a consumer opts out of the sale of his or her data, the CCPA’s anti-discrimination clause may prohibit the business from taking certain actions in response. And some responses would be permitted only if the difference in the level of service provided was “reasonably related to the value provided to the consumer by the consumer’s data.” As noted above, businesses are currently left wondering what that standard means and how to implement it.

5. The Anti-Discrimination Clause in Employment and the Workplace

In the context of employment, as discussed in our previous post, there is still uncertainty as to whether the California legislature intended for the CCPA to apply to employee and HR data. Employers collect personal information from employees as a necessary part of doing business.

If the CCPA does apply to employee data, employers will have to assess how they can best engage in routine data practices while respecting CCPA rights, particularly as the rights seem designed for traditional consumers. For example, many employers share employee personal information with their affiliates, in some cases for compliance or investigation functions.

Conclusion

The CCPA’s anti-discrimination provisions limit businesses’ ability to deny services, charge different prices, or offer different qualities of services to consumers who exercise their rights under the law. The drafters allowed for businesses to offer financial incentives for data practices but did not define the term “financial incentives” or more clearly lay out the conditions under which they may be allowed as compensation for the collection, sale, or deletion of personal information. And while the CCPA may be amended during the next legislative session to address its ambiguities and potential contradictions, businesses facing the challenge of CCPA compliance in the coming years will need to proactively assess and develop reasonable approaches to understanding data collection, use, and differential pricing practices for the goods and services offered to consumers.

]]>Digital Media Company Agrees to $4.95 Million COPPA Penalty in Settlement with NYAGhttps://www.hldataprotection.com/2018/12/articles/consumer-privacy/digital-media-company-agrees-to-4-95-million-coppa-penalty-in-settlement-with-nyag/
Mon, 10 Dec 2018 21:15:23 +0000https://www.hldataprotection.com/?p=10948On December 4, 2018, the New York Attorney General (NYAG) announced that Oath Inc., which was known until June 2017 as AOL Inc. (AOL), has agreed to pay a $4.95 million civil penalty to settle allegations that AOL’s ad exchange practices violated the Children’s Online Privacy Protection Act (COPPA). The $4.95 million penalty is the largest ever assessed by any regulator in a COPPA enforcement matter.

The NYAG alleged that AOL used its display ad exchange to help advertisers track and serve targeted display ads to children on hundreds of websites that the company knew were directed to children under the age of 13. Ad exchanges enable websites to sell, and advertisers to buy, advertising space through an auction process that takes place in real time after a user visits a webpage that contains ad space. To facilitate its online auctions, AOL allegedly collected, used, and disclosed to advertisers the personal information from child-directed websites’ users without first obtaining verifiable parental consent as required by COPPA.

COPPA requires operators of websites and online services directed to children under 13 to obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children who use those websites or online services. COPPA also applies to operators of websites or online services—including operators of ad networks or exchanges—targeted at a general audience (i.e., of all ages) if such operator has actual knowledge that it is collecting personal information from children under 13.

In 2013, the Federal Trade Commission (FTC) updated COPPA’s definition of personal information to include persistent identifiers such as cookies and IP addresses, which are commonly collected and used for behavioral advertising purposes. In its COPPA FAQs and 2012 Statement of Basis and Purpose, the FTC expressly described two cases where it believes that an ad network will likely meet the actual knowledge standard: (1) where a child-directed content provider (i.e., an operator of a website or online service directed to children under 13) directly communicates the child-directed nature of its content to the ad network; or (2) where a representative of the ad network recognizes the child-directed nature of the content.

The NYAG alleged that AOL’s ad exchange for display ads was not capable of offering a COPPA-compliant auction because the ad exchange would necessarily collect and share with third party advertisers personal information about website users on websites that it knew to be directed at children under 13 and subject to COPPA. The NYAG claimed that actual knowledge existed because (1) several AOL clients provided the company with notice that their websites were subject to COPPA, and (2) the company itself conducted reviews of the content and privacy policies of client websites that revealed they were subject to COPPA. According to the NYAG, AOL had internal policies that prohibited the use of its display ad exchange to auction ad space on COPPA-covered websites but did not strictly adhere to those policies.

In addition to conducting its own auctions, the NYAG alleged that AOL participated in auctions hosted by other ad exchanges through which the company was notified of auctions for ad space on child-directed websites. The NYAG alleged that when AOL participated in and won such auctions, its systems would nonetheless collect and use personal information from those child-directed website users in violation of COPPA.

As part of its settlement with the NYAG, Oath has agreed to adopt substantial internal reforms aimed at protecting children’s privacy and complying with COPPA, including:

Establishing and maintaining a comprehensive COPPA compliance program that includes a designated executive or officer to oversee the program, annual COPPA training for relevant personnel, risk assessment and implementation and regular monitoring of reasonable controls to address COPPA risks, and a process for selecting and retaining service providers that can comply with COPPA.

Retaining an objective, third party professional to assess the COPPA controls that the company has implemented.

Implementing and maintaining functionality that enables website operators that sell display space through AOL’s ad exchange to indicate each website or portion of a website that is subject to COPPA. AOL will track this information in a database and disclose to each bidder that relevant ad space is subject to COPPA.

Destroying all personal information it has collected from children.

]]>California Consumer Privacy Act: The Challenge Ahead – The Interplay Between the CCPA and Financial Institutionshttps://www.hldataprotection.com/2018/12/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-the-interplay-between-the-ccpa-and-financial-institutions/
Fri, 07 Dec 2018 22:22:09 +0000https://www.hldataprotection.com/?p=10935This is the ninth installment in Hogan Lovells’ series on the California Consumer Privacy Act.

The California Consumer Privacy Act of 2018 (“CCPA”) exempts information that is collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (“GLBA”), and its implementing regulations (the “Privacy Rule”), or the California Financial Information Privacy Act (“CFIPA”). It does not exempt financial institutions altogether from its requirements where a financial institution is processing information not subject to these regimes. In such situations, a financial institution must comply with a wide array of CCPA obligations, including requirements to make certain disclosures to consumers and to provide certain rights to consumers, such as the right to stop “sales” of their personal information and the right to access data that a business has collected about them. Determining whether information a financial institution processes is covered by the exemption or not can be challenging and is something that financial institutions will need to analyze for their operations.

This blog post provides background on the scope of the exemption and an overview of key considerations for financial institutions developing CCPA compliance programs.

Background

The financial services industry is one of the most heavily regulated industries when it comes to protecting the privacy of personal information. At the federal level, companies that offer financial products or services must comply with the GLBA and Privacy Rule, which govern notice obligations and condition the sharing of a customer’s personal information with third parties on offering consumers an opt-out, subject to certain exceptions. The Right to Financial Privacy Act imposes restrictions on financial institutions’ disclosure of personal information to the government. In addition to the comprehensive federal framework, some states have separately enacted financial privacy laws that provide similar and even additional protections to consumers, such as California’s CFIPA.

Consequently, many financial institutions and industry groups expected that the CCPA would exempt financial institutions from complying with the CCPA. However, the CCPA as originally enacted on June 28, 2018 exempted personal information collected, processed, sold, or disclosed pursuant to the GLBA (and not the CFIPA) only if in conflict with it. Recognizing the limited utility of the original exemption given the potential for financial institutions to comply with the CCPA and the GLBA, the California legislature, through SB 1121’s passage on September 23, 2018, removed the conflict language and added the CFIPA as well. The legislature also clarified that the exemption does not apply to the data breach liability provisions of the CCPA.

While financial institutions will be largely exempt from complying with the CCPA as to personal information collected through core consumer financial services activities, such as personal banking and investment and wealth management services among many other financial activities, the CCPA does not provide a blanket exemption for financial institutions. There may be instances in which a financial institution’s collection and use of personal information fall outside the scope of the exemption. For example, it is likely that the exemption will not apply to personal information collected about individuals who are not “consumers,” as that term is defined by the GLBA/CFIPA and to personal information collected by financial institutions that is outside of the GLBA/CFIPA. As noted, in any event, the CCPA provisions regarding liability for data breaches that result from a failure to implement and maintain reasonable security procedures will apply.

The Scope of the Exemption Is Based on Definitional Differences between the CCPA and the GLBA/CFIPA

A preliminary step to delineating the scope of the exemption and how it applies to financial institutions is understanding that while the CCPA and GLBA/CFIPA use similar terminology, the CCPA defines some key terms differently than the GLBA and CFIPA.

1. Consumer

The definition of “consumer” differs between the CCPA and the GLBA/CFIPA. Under the CCPA, “consumer” is broadly defined to mean any “natural person who is a California resident.” Sec. 1798.140(g). The CCPA does not include any carve-outs. On the other hand, the GLBA and CFIPA more narrowly define “consumer” to mean “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” 12 C.F.R. § 1016.3(e)(1) (we have cited to the Consumer Financial Protection Bureau’s Regulation P, but GLBA regulations issued by other federal regulators are similar). The Privacy Rule provides examples of a “consumer” (12 C.F.R. § 1016.3(e)(2)):

An individual who applies to a financial institution for credit for personal, family, or household purposes is a consumer of a financial service, regardless of whether the credit is extended.

An individual who provides nonpublic personal information to a financial institution in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes is a consumer of a financial service, regardless of whether the loan is extended.

An individual who provides nonpublic personal information to a financial institution in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer, regardless of whether the bank establishes a continuing advisory relationship.

2. Personal Information

The CCPA exemption applies to “personal information” about a consumer that is collected, processed, sold, or disclosed pursuant the GLBA or CFIPA. “Personal information” is broadly defined under the CCPA to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Sec. 1798.140(o)(1). Some of the listed examples of “personal information” under the CCPA are:

Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

The exemption applies to “personal information” that is collected, processed, sold, or disclosed pursuant to the GLBA or CFIPA. However, the GLBA and CFIPA do not use the term “personal information,” rather, they use the terms “personally identifiable financial information” and “nonpublic personal information.” These terms, while also broadly encompassing a lot of information, are still somewhat more narrowly defined than “personal information” under the CCPA.

Nonpublic Personal Information (“NPI”) is defined as: “(i) personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available” (including for example, lists of customer names and street addresses if they were associated with account information). 12 C.F.R. § 1016.3(p)(1).

Personally Identifiable Financial Information (“PIFI”) is a subset of nonpublic personal information, which the Privacy Rule defines as: “any information: (i) a consumer provides to you to obtain a financial product or service from you; (ii) about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) you otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.” 12 C.F.R. § 1016.3(q)(1). PIFI includes:

Any information a consumer provides to a financial institution on an application to obtain a loan, a credit card, a credit union membership, or other financial product or service;

The fact that an individual is or has been the financial institution’s customer or has obtained a financial product or service from the financial institution;

Any information about a financial institution’s consumer if it is disclosed in a manner that indicates that the individual is or has been the financial institution’s consumer;

Any information that a consumer provides to a financial institution or that the financial institution or its agent otherwise obtains in connection with collecting on, or servicing, a loan or a credit account;

Any information a financial institution collects through an Internet “cookie” (i.e., an information collecting device from a Web server); and

Information from a consumer report.

The differences in the definitions of relevant terms could result in financial institutions being only partially exempt from CCPA compliance. Below are some examples of scenarios where the exemption might not apply:

Employees of Financial Institutions and Applicants for Employment: The plain language definition of consumer under the CCPA applies to all California residents, including a business’s employees and job applicants. As further discussed in our previous post, the California legislature may not have intended such a broad reading and it may be they were intending it to cover consumers in the traditional sense of the word (i.e., individuals who purchase goods or services for personal use). However, unless and until legislative amendments to the CCPA, Attorney General regulations, guidance, or stated enforcement approach clarifies that the CCPA does not apply to employees or applicants for employment, it is prudent for businesses to treat the personal information of employees, applicants for employment, and other individuals (e.g. independent contractors) as covered under the CCPA. As this personal information would not be PIFI or NPI subject to the GLBA/CFIPA (absent providing a financial service to an employee), the exemption does not apply to such personal information.

Business Contacts: Similarly, business contacts, such as employees of vendors or other business partners, are likely CCPA consumers. Any information that a financial institution collects about its business contacts, such as contact information, would not be subject to the GLBA/CFIPA, so the exemption does not apply.

Commercial Customers: The GLBA does not apply to information collected from commercial clients, including sole proprietorships or individuals seeking a product or service for a business purpose. The CCPA, however, does not appear to have such a limitation so likely applies to any personal information collected from commercial clients.

Customer Prospects and Leads: Another situation in which the exemption may not apply is when a financial institution obtains a list of leads for marketing activities or where it collects information about an individual who is interested in obtaining a product or service from a financial institution, but has not reached the threshold of becoming a GLBA consumer. The Privacy Rule provides some examples of when an individual who has not yet obtained a financial product or service from a financial institution becomes a GLBA consumer. A person becomes a GLBA consumer when applying for a financial product or service or providing NPI to determine eligibility for a loan or to seek to obtain a financial, investment or economic advisory service. Accordingly, to the extent that a financial institution collects and maintains personal information of individuals who it does not have a relationship with or who merely inquire about, but do not apply for a financial product or service, those individuals would likely be CCPA consumers but not GLBA consumers, and their personal information would not fall under the exemption.

Website Visitors: The definition of PIFI under the GLBA includes information collected through Internet cookies, 12 C.F.R. 40.3(q)(2)(i)(F); however, the Privacy Rule provides this online data collection example in the context of an individual that is already a GLBA consumer, i.e., customers that have online accounts. Therefore, if a financial institution automatically collects certain information from an individual account holder that that is visiting its website (e.g., IP address, browsing history, search history), the information is likely subject to the exemption. On the other hand, if such information is collected from a California resident that is visiting the website but not a GLBA consumer, the information collected would arguably be subject to the CCPA’s requirements.

As the examples above illustrate, prior to the CCPA’s effective date of January 1, 2020, financial institutions still need to analyze the personal information they possess, including through activities such as data mapping, to determine whether certain of their activities may be subject to the CCPA. To the extent certain activities involving the collection, use, or sharing of personal information fall outside of the CCPA exemption, financial institutions should take steps to prepare for CCPA compliance.

]]>California Consumer Privacy Act: The Challenge Ahead – The Impact of the CCPA on Data-Driven Marketing and Business Modelshttps://www.hldataprotection.com/2018/11/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-the-impact-of-the-ccpa-on-data-driven-marketing-and-business-models/
Fri, 30 Nov 2018 20:00:54 +0000https://www.hldataprotection.com/?p=10922This is the eighth installment in Hogan Lovells’ series on the California Consumer Privacy Act.

In the digital age, data is everything. “Big Data” feeds countless business processes and offerings. Businesses rely on data to enhance revenue and drive efficiency, whether by better understanding the needs of existing customers, reaching new ones in previously unimagined ways, or obtaining valuable insights to guide a wide array of decisions. Data also drives developments in artificial intelligence, automation, and the Internet of Things.

Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. The breadth of personal information covered by the CCPA, going beyond what is typically covered by U.S. privacy laws, will complicate compliance and business operations.

This entry in Hogan Lovells’ ongoing series on the CCPA will focus on implications for data-driven businesses–the rapidly increasing number of businesses that rely heavily on consumer data, whether for marketing, gaining marketplace insights, internal research, or use as a core commodity.

1. The CCPA will apply to data-driven businesses of all sizes

Companies, especially those outside of California, may wonder whether they are subject to the CCPA. As discussed in a previous blog post, the statute applies to for-profit entities that (1) have greater than $25 million in gross annual revenues; (2) annually handle personal information of 50,000 or more consumers, households, or devices; or (3) derive 50% or more of annual revenue from selling personal information. These criteria will result in a wide swath of businesses being subject to the CCPA. For example, a website might only need 137 unique visitors from California per day to reach the threshold of 50,000 consumers. That website’s collection of data through cookies may be captured by the CCPA’s broad definition of personal information. And given the third criterion focused on revenue percentage, even very small businesses that regularly exchange data, for example in the online ecosystem, might be captured if their activities are deemed to be a “sale” under the CCPA.

2. The definition of personal information is broad, and the exemptions for de-identified and aggregate information are unclear

Whether the extensive CCPA requirements will apply to various types of information that a business holds hinges on the statute’s definition of “personal information.” The CCPA’s definition covers an array of data even when it is not tied to actual identifying information. For example, personal information also encompasses data that “relates to … is capable of being associated with or could reasonably be linked directly or indirectly, with a particular consumer or household.” The data does not have to identify a consumer or household; merely relating to a particular consumer or household is sufficient.

Given that the information need not actually identify an individual consumer or household, a business’ handling of any number of data elements can trigger CCPA obligations. These data elements include, among others, geolocation information, biometric information, IP address, and other online identifiers; browsing history; search history; information about how consumers’ interact with websites, applications, or advertisements; and inferences drawn from these or other types of personal information that may be used to create a profile about a consumer. Using the online advertising ecosystem as an example, the CCPA approach therefore sweeps in much of the information relied on by, and disclosed among, online ad agencies, website publishers, ad exchanges, ad networks, ad buying and selling platforms, and other data businesses in the online ecosystem.

The statute does exempt from its restrictions the handling of data that is “deidentified or in the aggregate.” These exemptions have led some commentators to suggest that the impacts for certain data-driven businesses in the online advertising ecosystem may not be that significant. However, what counts as “de-identified” or “aggregate consumer information” under the CCPA may conflict with common understandings of those terms in the United States.

Under the CCPA, information is only de-identified if it “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” In addition, the business using it must adopt technical and procedural safeguards to prevent its re-identification, have business processes to prohibit re-identification, and it must not make any attempt to re-identify it. Businesses may today view information as “de-identified” even when information relates to a specific-but-unidentified individual. But the CCPA appears to upend this approach, though it is not clear how the California Attorney General, when enforcing the law, will interpret reasonable de-identification. An expansive reading of the CCPA approach to de-identification suggests that even if it would take sharing of information with a third party to actually identify an individual (based on other information the third party possesses), because the information was “capable of being associated with” a particular consumer, it would be personal information even before it was shared with the third party.

The definition of “aggregate consumer information” is similarly unclear. Under the CCPA, aggregate consumer information is “information that relates to a group or category of consumers . . . that is not linked or reasonably linkable to any consumer or household, including via a device.” As with de-identified data, businesses may currently share aggregated information that, through statistical techniques or in combination with other data sets, could enable some de-coupling of information or linking to an individual. Under the current definition, there is no clear threshold for when such information is “reasonably linkable” to a consumer, household, or device.

Given the lack of clarity surrounding these exemptions and the exceptionally broad definition of personal information, the CCPA has the potential to affect a wide range of common business practices, such as those involving the sharing of information that is sometimes currently understood to be de-identified or aggregate information.

3. The CCPA’s new notice requirements may be challenging

Many data-driven businesses collect, combine, and analyze consumer data from multiple sources to gather insights into consumer preferences and behavior. Under the CCPA, these activities also raise new notice obligations. Businesses subject to the CCPA must notify consumers, at or before the point of collection, “of the categories of personal information collected and the purposes for which that information will be used.” The CCPA defines “collection” broadly to include buying, renting, gathering, obtaining, receiving, or accessing information.

While businesses maintaining first-party relationships with consumers may be able to develop a consumer-friendly and convenient mechanism for informing consumers at or before data collection, non-consumer-facing third parties may find complying with notice requirements to be challenging. For example, in the online advertising context, ad networks, exchanges, and other actors in the online ecosystem may find it practically challenging to satisfy this obligation given the lack of direct interaction with consumers. However, the CCPA does not define how consumers must be “informed.” Some might argue that even a non-consumer-facing business could satisfy such requirements by posting requisite disclosures on its own website. Alternatively, entities in the online ecosystem, potentially through industry groups or industry-wide initiatives, may develop mechanisms, contractual or otherwise, to ensure that publishers make appropriate disclosures covering these other entities’ activities.

4. The right to opt-out of “sales” of personal information and restrictions on resale may disrupt data-driven business models

Under the CCPA, consumers may opt-out of sales of their personal information to third parties. The CCPA defines “sale” broadly to include not just the disclosure of personal information, but also merely “making [it] available, to another business or third party for monetary or other valuable consideration.” Again, in the online context, a website publisher may make information collected by its website (through cookies or otherwise) available to third party data exchanges or ad networks that use the information to facilitate the placement of ads for the publisher on third party sites or for third parties on the publisher’s site, or the third parties may use information they obtain to further supplement their own data or profiles. The services performed by the third parties for the publisher, based on the receipt of information, may be viewed as the sale of personal information. It may even be that the entity initially possessing the information is not actively disclosing it, but merely making it available to the other entity. There are many other situations where a data broker or other third party may be obtaining “personal information” (as broadly defined) for its own uses in exchange for a service. Under the CCPA, these scenarios may still require businesses to offer consumers the opportunity to opt-out of the data “sale.”

The CCPA also prohibits businesses from engaging in the resale of personal information—i.e., selling data that was sold to it (as opposed to selling data the business collected directly from a consumer)—absent providing consumers explicit notice and an opportunity to exercise the right to opt out of the resale. This provision may raise challenges for businesses such as data brokers whose business models center around selling the data they collect from various sources other than consumers. It will also impact the advertising middlemen that facilitate delivery of targeted ads for multiple companies based on information collected on individual publisher sites, who help companies link a consumer’s offline behavior (e.g., shopping at brick and mortar stores) with online behavior, or who help companies track a consumer across devices. Many commentators have noted that the right to opt out may severely hinder the operations of data brokers and other ad tech middlemen, while favoring “walled gardens”—closed or relatively closed ecosystems that collect and use information of their own users, and who enable advertising without allowing third parties to access their users’ information. Similar to the first party notice requirements mentioned above, the CCPA’s obligation to provide explicit notice prior to reselling data may be problematic for data-driven businesses lacking a first-party relationship with consumers.

Notably, there is an exception to a sale that may be helpful for certain data sharing arrangements. Under the CCPA, a sharing arrangement is not a sale where a business shares personal information with a “service provider” as necessary to perform a “business purpose” as long as it has provided notice of the sharing and has a contract with the service provider to prevent its use of the information for any reason other than performing the business purpose. The CCPA defines business purposes as “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.”

This sale exception for business purposes also requires that the use of personal information “be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.” The personal information can also be used for another operational purpose if that purpose is “compatible with the context under which the information was collected.” The CCPA provides examples that include auditing; detecting security incidents; short term transient use if not disclosed to a third party or used for profiling; performing services on behalf of the business, which can include advertising and marketing services; internal research; and quality control. It will be important for businesses to understand the scope of this exception, which may enable various forms of sharing for a number of different purposes without triggering the “sale” opt-out.

To effectuate opt-out rights, companies may need to implement technical measures to respect consumer preferences. They may also need to renegotiate existing data sharing agreements to accommodate the right to opt-out where appropriate.

5. Other consumers rights such as the right to access, portability, deletion, opt-in rights for minors, and anti-discrimination may be especially burdensome for data-driven businesses

The CCPA provides consumers with the right to access their personal information held by a business; the right to receive that information in an easily-transferable format, if provided electronically; the right to request deletion of any personal information (subject to several important exceptions); the right for minors to have opt-in consent for sale of personal information; and the right not to be discriminated against for exercising CCPA rights. While challenging for all businesses, complying with these rights may be uniquely burdensome on data-driven businesses based on the potential volume of data held, the value of that data to the business (with associated risks to allowing consumers to transfer and delete that data), and, in some cases, the lack of a first-party relationship with consumers, which can make it challenging to afford consumers these rights.

Right to Access: Consumers have the right to request businesses “disclose to that consumer the categories and specific pieces of personal information the business has collected.” This right, which consumers may exercise twice per year, obliges businesses to “disclose and deliver, free of charge to the consumer, the personal information” held. Companies must disclose all of the specific types of personal information the business holds, regardless of its source or where the business holds that information. Given the many different databases and servers frequently involved in operating a data-driven business, capturing all data may be logistically challenging, especially if the data is stripped of directly identifying information. Properly effectuating the right to access will thus require well-designed policies and a thorough understanding of one’s digital storage.

Right to Portability: When responding to a request for access to consumer information, businesses must comply with the portability requirement. Specifically, access requests fulfilled electronically “shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.” Respecting this right while protecting proprietary information, which for some businesses could include information such as marketing segments, may be challenging.

Right to Deletion: The CCPA also grants consumers the right to “request that a business delete any personal information about the consumer which the business has collected from the consumer.” In general, companies must comply with a verifiable consumer request. However, businesses may refuse deletion requests if the personal information is necessary for any of nine enumerated purposes. Among these exceptions are where information is necessary to comply with a legal obligation, to provide goods or services requested by the consumer, to detect security incidents, to protect against illegal activity, or to exercise free speech. In another particularly broad but ambiguous exception, businesses may refuse a deletion request if the information is necessary to use “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” It is possible that platforms with first-party relationships may have grounds to refuse a deletion request, even if they use the information for marketing purposes, so long as the use is internal and compatible with the context at the time of collection. Considering the breadth of potential exceptions, data-driven businesses should consider developing policies to assess and respond to deletion requests in a consistent fashion, ensuring consumers’ rights are respected while responsibly protecting their own data to the extent possible.

Affirmative Consent for Selling Personal Information of Minors Under 16: In addition to the general right to opt-out of the sale of personal information, the CCPA also imposes an affirmative consent requirement for the sale of personal information of any minor, if the business has “actual knowledge” the consumer is younger than 16 years. Such affirmative consent must be sought from parents or guardians of consumers under 13 or, for consumers aged 13 to 16, from the consumers themselves. While “actual knowledge” is undefined, the CCPA deems any business that “willfully disregards the consumer’s age” as having actual knowledge. Businesses in a first-party relationship with consumers are better situated to comply with the CCPA’s affirmative consent requirement. For example, they may be able to directly request the consumer’s age or employ technical measures such as an age verification system. But even companies without a first-party relationship are still required to seek affirmative authorization prior to selling information if they have actual knowledge of the consumer’s age, and they cannot willfully disregard indicia of age. Data-driven businesses should assess whether they are likely to engage in any activity that could be construed as “selling” personal information about consumers younger than 16 years, and if so, consider establishing protocols and procedures to mitigate risks.

Anti-discrimination Provision for Consumers Who Exercise Rights plus Additional Differential Treatment Condition: Under the CCPA, companies may not discriminate against consumers who exercise their rights. The CCPA specifically prohibits denying goods or services, charging different prices, providing a different level or quality of goods or services, or suggesting to the consumer any of the above will happen if they exercise their rights. However, the anti-discrimination provision makes clear that a business may offer different prices or rates or different levels of quality or goods or services “if reasonably related to the value provided to the consumer by the consumer’s data.” Cal. Civ. Code § 1798.125(a). Measuring the value provided to the consumer may prove difficult. A statutory approach that would have made more sense would have tied the value provided to the business by the consumer’s data.

Notably, in what appears to be a case of poor drafting, there is a separate clause that is not part of the anti-discrimination clause, and therefore not tied to a consumer’s exercise of rights that explicitly allows businesses to charge different prices or provide different levels of quality with the a similar qualifier to that used in the anti-discrimination provision, i.e., if the differences are “directly related to the value provided to the consumer by the consumer’s data.” Cal. Civ. Code § 1798.125(b).The qualifier is not tied to a prohibition, but it suggests as written, that any differential terms are restricted even in the absence of a consumer exercising a right if the differences are not tied to the value provided to the consumer for use of the consumer’s data. This subsection also specifies that financial incentives for the collection and sale of personal information require notice to consumers or if part of a financial incentive program, opt-in consent. The meaning and intent behind this provision is unclear. A forthcoming blog post will discuss the anti-discrimination provision and this separate but related provision in further detail.

Conclusion

The CCPA will impose substantial compliance obligations on all businesses that handle personal information of California consumers. Such obligations may pose particular challenges for the ever increasing array of businesses that leverage consumer data for analytics, profiling, advertising, and other monetization activities, particularly as the compliance requirements are not easily gleaned from the statutory language. Addressing these challenges will require creative, thoughtful approaches and may potentially involve industry-wide coordination to develop and advance practical solutions.

As a first step, data-driven businesses unsure of where they stand should consider assessing their personal information collection and use practices sooner than later. Armed with an understanding of the data they hold, whether it fits the broad definition of personal information, how it is collected, where it is stored and with whom it is shared, businesses can develop proactive strategies to achieve compliance, mitigate risks, and minimize the potential for disruption.

]]>FTC Release Staff Recap of Informational Injury Workshophttps://www.hldataprotection.com/2018/11/articles/consumer-privacy/ftc-release-staff-recap-of-informational-injury-workshop/
Mon, 19 Nov 2018 15:20:27 +0000https://www.hldataprotection.com/?p=10857The Federal Trade Commission (FTC) recently published a paper recapping its December 2017 Informational Injury Workshop. Workshop participants, including academics, industry experts, consumer advocates, and government researchers, discussed what types of consumer harm might qualify as “substantial injury” under the FTC Act and what factors should be considered. The paper noted that several important points emerged from the workshop:

Informational Injuries: Examples and Harms

In cases involving medical identity theft, some participants noted that consumer injuries can go beyond financial harm and often include inaccurate information in medical files. They argued that this can lead to more serious issues for treatment and patient safety.

Some victims of doxing, the deliberate and targeted release of private information about an individual, can lose access to important devices, files, and services that can be used to extort the victim.

Some participants noted that disclosure of private information may cause both market (e.g., ability to obtain or maintain employment) and non-market (e.g., relationships with friends and family).

Some participants also asserted that privacy and data breaches can lead to an erosion of trust in the ability of businesses to protect their data. Some believed that this can lead to disengagement that harms both the affected businesses and the consumers themselves as they miss out on the full range of benefits available.

Balancing Benefits and Harms

Participants noted that informational injuries, and the risk of such injuries, must be balanced against the benefits gained from information collection. The ad-supported Internet is a key benefit of information collection; consumers do not have to pay for services. Participants noted that some websites and online services rely heavily on user- and third-party data inputs, and that web users generally benefit from personalization.

Should Government Intervene?

There was robust debate over whether and when government should intervene over informational injuries. Participants noted the importance of flexibility and innovation and wanted to avoid unintended consequences from government innovation. Some suggested three factors the government should consider before intervening:

How sensitive is the data?

How will the information be used?

Will the information be anonymized or identifiable?

Should the Definition of Injury Include Risk of Injury?

One participant argued that the increased risk of harm created by certain practices should be taken into account, not just the harm itself. Another participant disagreed, arguing that if risk of injury constituted injury then “literally everything, literally the existence of these businesses, would increase the risk of injury and therefore be actionable.”

The Privacy Paradox

The privacy paradox – where people say in surveys they care about privacy but their behavior does not reflect that – was discussed at length. Participants discussed several explanations for the paradox. People may not understand the privacy risks of their behaviors or care differently about their privacy depending on context. One participant suggested that people may not file suit over data breaches because they do not want to make their name public as part of a lawsuit.

More Research Needed

Participants agreed that more research is needed on privacy and data security to help guide policymakers. In June 2019, the FTC will host its annual PrivacyCon conference that will explore new academic perspectives and ongoing research into privacy and data security issues. Additionally, the FTC is conducting an ongoing series of hearings on Competition and Consumer Protection in the 21st Century, including on privacy and data security issues.

Gregory Oshel, in our Baltimore office, contributed to this post.

]]>The Internet of Things Webinar Series: Overcoming IoT Litigation Challengeshttps://www.hldataprotection.com/2018/10/articles/consumer-privacy/the-internet-of-things-webinar-series-overcoming-iot-litigation-challenges/
Thu, 18 Oct 2018 14:22:47 +0000https://www.hldataprotection.com/?p=10749On October 2, 2018, Hogan Lovells hosted the most recent installment in its Internet of Things Webinar (IoT) Series. Two of our experienced litigation partners, Christine Gateau in Paris and Michelle Kisloff in Washington DC, discussed current regulatory actions and cutting-edge IoT litigation debates in the U.S. and Europe, as well as litigation risks to keep in mind when designing IoT products. To hear more on this topic, please access the full webinar recording using this link.
]]>California Passes First-Of-Its-Kind Law Focused on Internet of Things Cybersecurityhttps://www.hldataprotection.com/2018/10/articles/consumer-privacy/california-passes-first-of-its-kind-law-focused-on-internet-of-things-cybersecurity/
Wed, 17 Oct 2018 16:45:00 +0000https://www.hldataprotection.com/?p=10751Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”

The new law regulates manufacturers of “connected device(s),” defined as devices that can directly or indirectly connect to the Internet and are assigned an Internet Protocol (IP) or Bluetooth address. The law likely applies primarily to manufacturers of consumer-facing connected devices, given the legislative history and text, although the language is quite broad. Notably, various exemptions apply, including those for:

unaffiliated third-party software or applications that a user adds to a connected device;

providers of means of purchasing or downloading software or applications, such as the provider of an electronic store or marketplace;

connected devices already subject to federal law or regulation promulgated by a federal agency; and

entities or persons subject to HIPAA or the California Confidentiality of Medical Information Act (CMIA), with respect to activity regulated by those laws.

The above exemptions likely exclude large numbers of existing connected devices, such as those regulated by the Food and Drug Administration (FDA) or the Office for Civil Rights (OCR) (the agency with HIPAA enforcement responsibility). However, some otherwise regulated connected devices that fall under an exemption may still be subject to the requirements of this law if those same devices are sold to and used by household consumers. For example, while a manufacturer of a HIPAA-regulated connected medical device appears to fall under an exemption to the extent that federal law applies, the manufacturer may nonetheless remain subject to the new CA IoT law for that device where the manufacturer engages in direct-to-consumer sales.

Although this new IoT law does not clearly define what constitutes a “reasonable” security feature, it specifies that any such feature must be:

appropriate to the nature and function of the device;

appropriate to the information the device may collect, contain, or transmit; and

designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

In addition to the above-mentioned requirements, if a regulated connected device is capable of authentication outside a local area network, the device will be deemed to be equipped with a “reasonable security feature” if:

the preprogrammed password is unique to each device; or

a user is required to generate a new password before accessing the device for the first time.

Well before the January 1, 2020 implementation date, covered manufacturers are well advised to evaluate any existing security features on connected devices subject to this law to confirm that such features provide proper protection of the device and its information. It may be advisable to conduct a review of the design, development, and deployment of the security of connected devices and confirm baseline guidelines for security features. To that end, organizations may find helpful recent draft guidance published by the US National Institute of Standards and Technology (NIST) on “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” NISTIR 8228, which is open for public comment until October 24, 2018.

]]>FTC’s Privacy Shield Enforcement Actions Show Broader Enforcement Lenshttps://www.hldataprotection.com/2018/10/articles/consumer-privacy/ftcs-privacy-shield-enforcement-actions-show-broader-enforcement-lens/
Fri, 05 Oct 2018 17:02:46 +0000https://www.hldataprotection.com/?p=10707On September 27, the Federal Trade Commission (FTC) announced proposed settlement agreements with four companies it alleges violated Section 5 of the FTC Act by misrepresenting their certification status and compliance with the EU-U.S. Privacy Shield. This latest set of enforcement actions brings the FTC’s Privacy Shield related enforcement to settlements with eight defendants since the framework was adopted in July 2016.

The FTC brought its first set of separate Privacy Shield related enforcement actions against three companies in September 2017 for allegedly misrepresenting to customers the companies’ current participation in the Privacy Shield framework. According to the FTC complaints, merely implying participation in the Privacy Shield framework is enough to draw a misrepresentation charge. In those cases, the companies included statements in their privacy policies that they complied with the Privacy Shield principles though the companies had never completed the certification process with the Department of Commerce.

In a second set of Privacy Shield related actions, the FTC reached a settlement with California-based ReadyTech Corporation for representing to consumers that the company was in the process of obtaining certification status. According to the FTC, while the company had begun the certification process almost two years earlier, it failed to complete the steps necessary to participate in the Privacy Shield framework despite representing to customers that it was pursuing Privacy Shield certification. The FTC alleged that the statement in ReadyTech’s privacy policy that “[it] is in the process of certifying that [it] compl[ies] with the U.S.-E.U. Privacy Shield framework…” effectively represented “directly or indirectly, expressly or by implication” that the company was actively seeking Privacy Shield certification.

First, the FTC is ready to bring enforcement actions against companies who let their Privacy Shield certification lapse but fail to amend their representations to customers. Three of the companies targeted in the recent actions had actually obtained Privacy Shield certification status but failed to complete their annual re-certification as required by the Privacy Shield principles. Despite the lapses, according to the FTC, the companies maintained outdated statements in their privacy policies representing that their Privacy Shield certification was current.

Second, the FTC added to its complaints against two of those companies a second count alleging that despite their certifications lapsing, the companies failed to provide the Department of Commerce with an affirmation that the data they received while still certified under Privacy Shield would continue to be treated in accordance with Privacy Shield principles. The FTC alleged in its complaints that those companies’ failure to provide the Department of Commerce with the required affirmation rendered the companies’ statements “that they would abide by the EU-U.S. Privacy Shield framework principles” to be false.

As echoed by Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, the FTC’s recent Privacy Shield enforcement actions show the agency’s continued intention to use companies’ misrepresentations about Privacy Shield compliance and certification as a basis for bringing enforcement actions against them. Privacy Shield participants should ensure not only that their Privacy Shield certifications remain current but also that the representations they make about Privacy Shield compliance remain up-to-date. In addition, former Privacy Shield participants should provide the Department of Commerce with the required affirmation that data collected while the company was Privacy Shield certified will continue to be treated according to its principles.

Update: On November 19, 2018, the FTC approved its proposed settlements with the four companies in a 4-0-1 vote after receiving no comments.

]]>California Consumer Privacy Act: The Challenge Ahead – A Comparison of 10 Key Aspects of The GDPR and The CCPAhttps://www.hldataprotection.com/2018/10/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-a-comparison-of-10-key-aspects-of-the-gdpr-and-the-ccpa/
Wed, 03 Oct 2018 14:48:37 +0000https://www.hldataprotection.com/?p=10684This is the fifth installment in Hogan Lovells’ series on the California Consumer Privacy Act.

As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA. This post compares the CCPA and the GDPR in ten key areas: (1) geographic scope, (2) entities subject to the law, (3) the definition of personal data/information, (4) notice requirements, (5) access and portability rights, (6) deletion rights, (7) rights to object or opt out, (8) relationships with processors/service providers, (9) anti-discrimination / compelled consent provisions, and (10) enforcement.

1. Geographic Scope

Both laws can apply to entities located inside and outside of their respective jurisdictions. The GDPR applies to entities that are established in the EU, as well as entities not established in the EU that process the personal data of persons located in the EU in the context of either (i) offering goods or services to persons in the EU, or (ii) monitoring the behavior of persons in the EU.

While the CCPA is less explicit about its geographic scope, it will likely also have extraterritorial effect. The statute’s most direct reference to geography comes in the definition of “business” (the class of entities which are subject to most CCPA requirements), which requires that an entity subject to the law “does business” in California. While the CCPA does not define this phrase, “doing business” has a long history of interpretation under U.S. and California personal jurisdiction jurisprudence. Therefore, the CCPA should apply to any business, regardless of physical presence or place of incorporation, which regularly offers goods or services to persons or entities in California or otherwise purposefully derives benefit from its activities in California.

2. Entities Subject to the Law

The GDPR and CCPA take different approaches to defining the types of entities that must comply with the law. Under the GDPR, any person or entity that processes (collects, stores, uses, etc.) personal data can be subject to the law’s requirements, unless such processing is for purely personal or household purposes. Whether an organization operates for profit, meets certain revenue thresholds, or collects personal data from a certain number of persons has no bearing on GDPR’s application.

In contrast, the CCPA sets out a number of threshold criteria for what type of entity constitutes a covered “business,” namely that it: (1) operates for profit, (2) collects California consumer personal information, (3) determines the purposes and means of processing that information, and (4) meets one of the following criteria: (i) has annual gross revenues exceeding $25 million, (ii) annually buys or sells personal information of 50,000 or more California consumers, households, or devices, or (iii) derives more than 50% of its annual revenue from selling California consumers’ personal information. Alternatively, an entity can qualify as a “business” if it controls or is controlled by an entity that meets the above criteria and shares common branding with that entity. Thus, a non-profit organization—which can be subject to the GDPR—would not be directly subject to the CCPA unless it controls or is controlled by a for-profit entity that qualifies as a “business” and shares common branding, or receives personal information from a business via a “sale.”

3. Definition of Personal Data/Information

The GDPR and CCPA have similar definitions of personal data/information that are conditional, content-neutral, and can potentially cover any type of information, provided there is a sufficient link between the information and a particular individual. The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” Personal information under the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” A notable difference between these definitions is the CCPA’s inclusion of information linked to a particular “household.” While not defined in the CCPA, a “household” will likely cover, at minimum, data linked to a particular address, even if such data is not linked to any natural persons or device identifiers.

4. Notice Requirements

The GDPR and CCPA have partially overlapping notice requirements. Among other things, the GDPR requires that controllers notify data subjects about the purposes for which personal data will be processed, the legal basis for processing, the categories of entities who may receive the personal data, the retention period for personal data, and the data subjects’ rights. This information must be provided to data subjects at the time when personal data are collected (if data is collected directly from a data subject), or within a reasonable period after the data is collected (if data is collected from a source other than the data subject).

The CCPA requires that businesses notify consumers prior to or at the point of collection only of the categories of personal information collected and how it will be used. Unlike the GDPR, the CCPA does not specify how or when such notice should be provided if a business collects personal information from a source other than the consumer and never has contact with the consumer. The GDPR allows this notice to be provided “within a reasonable period of time” or, if used for communication, at the time of first communication, and provides an exception to notice where doing so would prove impossible or involve a disproportionate effort.

The CCPA does require businesses to disclose a significant amount of information in their online privacy policies, including some categories not required by the GDPR. In particular, the CCPA requires a business’s online privacy policy to disclose a description of CCPA rights and how to exercise them, as well as three separate lists of the categories of consumer personal information that the business, over the preceding 12 months, has (1) collected, (2) sold, or (3) disclosed for business purposes (or the fact that it has not done so).

5. Access and Portability Rights

Both laws have relatively similar access and portability rights, although the scope of the CCPA’s portability obligation is arguably broader.

The GDPR access right grants data subjects the right to obtain confirmation of whether a data controller is processing their personal data, access to the personal data itself, and general details about the processing. The GDPR also provides a separate right to data portability, under which the data subject has the right to receive the personal data that she provided to a controller in a “structured, commonly used and machine-readable format” and to transmit such data to another controller without hindrance. However, such data portability is limited to personal data processed on the basis of consent or on a contract, where the processing is carried out by automated means.

Although the CCPA and GDPR access rights are similar in many ways, one key difference is the CCPA’s requirement that a business list the categories of personal information that it sells/discloses to each category of third party to which the consumer’s personal information is sold/disclosed. Given that the GDPR does not explicitly require this granular information about third party disclosures, businesses that have already prepared for GDPR access requests may need to take additional steps to map and maintain ongoing awareness of how each individual consumer’s personal information is transferred to third parties.

In addition, under the CCPA, information provided in response to an access request may be delivered by mail or electronically, and if provided electronically, must be “in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.” As such, the CCPA requires the portability of all personal information, and unlike the GDPR does not limit portability just to personal data both provided by the data subject and processed on the basis of consent or contract.

6. Deletion Rights

The GDPR and CCPA both grant individuals the right to have their data deleted under certain circumstances. The GDPR deletion right is limited to enumerated situations, such as when personal data are no longer necessary for the purposes for which they were collected or when processing is based on consent that has subsequently been withdrawn. Additionally, there are broad exceptions that allow a data controller to refuse to delete data (e.g., data is necessary for compliance with a legal obligation).

While the CCPA’s deletion right it is not limited to specific, enumerated situations, it is subject to several explicit but broadly framed exceptions for certain uses of personal information. For example, a business can refuse to delete information that is necessary to provide the service, complete a transaction, detect security incidents or fraud, or for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”.

Given the fundamental similarities between the GDPR and CCPA deletion rights, businesses that have developed GDPR deletion policies and procedures will likely be able to repurpose these documents when designing the analogous CCPA policies and procedures. However, such policies will need to be revised to account for the different considerations that are involved in determining whether a deletion request must be honored. For example, the GDPR may require a business to consider alternative legal bases for processing if a data subject withdraws consent, such as the company’s legitimate interest in retaining the personal data for security purposes, while the CCPA will require the business to determine whether any of the use exceptions apply. On balance, the CCPA’s exceptions to the deletion right are more straightforward than the GDPR’s exceptions. However, some of the CCPA exceptions will still require thoughtful analysis (e.g., considering whether data is used for purposes that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business).

7. Rights to Object/Opt Out

Consumers’ broad right to opt out of the sale of their personal information is one of the most impactful elements of the CCPA. As discussed in our previous blog post, the term “sale” is broadly defined and will likely encompass many types of data sharing between entities. The CCPA does not list any exceptions to this right to opt out.

While the GDPR does not have a direct analog to the CCPA’s right to opt-out of the sale of personal information, the GDPR’s right to object affords data subjects an unconditional right to stop the use of their personal data for direct marketing purposes. The unconditional nature of the right to stop direct marketing makes this right somewhat analogous to the CCPA’s right to opt out of the sale of personal information. Moreover, under Article 21 of the GDPR, a data subject can object to the processing of personal data under the controller’s “legitimate interests” unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject. Although it is yet to be seen how EU regulators will interpret the scope of this objection right, certain data-sharing relationships that overlap with the CCPA’s concept of “selling” data will most likely be encompassed. (For more on this, see our future blog post on the impact of the CCPA on data-sharing relationships.)

Therefore, policies and procedures that have been developed to implement the GDPR’s direct marketing opt-out—or other consumer choices—may be of use when designing policies and procedures to implement the CCPA’s sale opt-out. However, these policies and procedures will need to be revised in order to account for the fact that the “sale” opt-out will apply to a broad range of activities beyond direct marketing (e.g., sharing personal information with a third party for their own analytics purposes).

The CCPA also requires that a business that sells personal information must provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on the business’s homepage that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer’s personal information. Mere inclusion of such a button on a business’s homepage could lead more California consumers to exercise their right to opt out than EU end users, whose right to opt out needs to be explained only in a privacy policy. Therefore, businesses may wish to consider whether to offer a California-specific version of their homepage or how they will deal with non-Californian consumers who click on that link.

8. Relationships with Processors/Service Providers

Both laws have implications for service provider relationships. However, the GDPR imposes more explicit and extensive obligations for data processors than the CCPA.

Under the GDPR, transfers of personal data to processors (pure service providers) must be governed by a contract that expressly requires the processor to, among other things, process personal data only on the documented instructions of the controller, ensure that persons authorized to process personal data are bound by a duty of confidentiality, provide appropriate technical and organizational measures for security of personal data, and assist the controller with other GDPR requirements. Processors may retain sub-processors only with the consent of the controller and must flow down their GDPR obligations.

By contrast, the CCPA does not mandate that a business impose specific contractual obligations on its service providers. Rather, the CCPA incentivizes businesses to impose certain contractual limitations on service providers by creating an exception to the definition of “sale” for transfers of consumer personal information to them. To take advantage of this exception, a business must execute a written contract with the service provider that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing services specified in the contract for the business or as otherwise permitted by the CCPA. To avoid compliance obligations and liability under the CCPA itself, the service provider may not further collect, sell, or use the personal information provided by the business, except as necessary to perform the business purpose specified in its contract.

Although not explicitly required by CCPA for service provider contracts, businesses will also want to consider contractually requiring service providers to facilitate the fulfillment of deletion requests given that the CCPA requires businesses to “direct any service providers to delete the consumer’s personal information from their records” if requested by the consumer. And, to the extent a service provider also holds personal information subject to a consumer access right under the CCPA, businesses will also want to contractually obligate their service provider to assist with such requests, including to provide a copy of such information in a portable and “readily usable” format.

Companies subject to both the GDPR and CCPA should consider updating their contracting processes to account for the new issues raised by the CCPA. This could involve revising existing privacy/confidentiality language in service provider contracts to extend existing protections to cover California personal information or adding terms that specifically address CCPA requirements for just California personal information.

9. Anti-Discrimination / Compelled Consent

Businesses are prohibited from discriminating against consumers who exercise their rights under the CCPA. Discrimination is broadly defined to include denying, charging different prices for, or offering different qualities of goods or services. However, the CCPA does allow businesses to charge consumers different prices or offer different qualities of goods or services if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.”

Although the GDPR does not have a direct analog to the CCPA’s anti-discrimination requirements, the EU views the right to privacy as a fundamental human right that cannot be waived by consent. Thus, by implication, a user contract that required the data subject to waive their GDPR rights as a condition to use a service would be presumptively invalid. In addition, there is a significant debate under the GDPR about the extent to which a company can make the provision of a service conditional on consent to certain processing of personal data. Companies who have considered this issue under the GDPR may need to adapt their GDPR consent strategies to account for the CCPA’s anti-discrimination provision.

The practical implications of the anti-discrimination provision on data strategies will be discussed in more detail in a future blog post in our CCPA series.

10. Enforcement

The GDPR and the CCPA both allow for significant fines. The GDPR caps fines at the greater of €20 million or 4% of worldwide turnover. The CCPA allows for fines of up to $2,500 per violation or $7,500 per intentional violation, but notably does not place a cap on the total amount of fines. Unlike the GDPR, the CCPA provides businesses with a period of 30 days to cure alleged violations of the law before a fine can be assessed.

The CCPA and GDPR both include private rights of action. However, unlike the GDPR, which gives data subjects a right to a judicial remedy and compensation for damages from a controller or processor that infringes their rights, the CCPA offers a private right of action only to consumers whose personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of its duty to implement reasonable security procedures appropriate to the nature of the information. Additionally, this right applies only to a subset of “personal information” (e.g., Social Security number, driver’s license number, medical information, and other information subject to California’s breach notification statute), and it does not apply if the personal information is redacted or encrypted.

]]>California Consumer Privacy Act: The Challenge Ahead – Consumer Litigation and the CCPA: What to Expecthttps://www.hldataprotection.com/2018/09/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-consumer-litigation-and-the-ccpa-what-to-expect/
Thu, 27 Sep 2018 21:44:21 +0000https://www.hldataprotection.com/?p=10648This is the fourth installment in Hogan Lovells’ series on the California Consumer Privacy Act

This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA).

For several years, the plaintiffs’ bar increasingly has relied on statutes like the Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq., and the Customer Records Act, Cal. Civ. Code § 1798.81, et seq., to support individual and classwide actions for purported data security and privacy violations.

The CCPA creates a limited private right of action for suits arising out of data breaches. At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute. Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.

Here’s what you need to know:

The CCPA Provides a Limited Private Right of Action for Data Breach Suits

The CCPA allows consumers, under certain circumstances, to bring suits where their nonencrypted or nonredacted personal information has been subjected to unauthorized access, exfiltration, theft, or disclosure as a result of a business’ violation of its duty to implement and maintain reasonable security procedures. Cal. Civ. Code § 1798.150. (Note: “Personal information” for purposes of data breach-related suits is as defined in the California Customer Records Act (Cal. Civ. Code 1798.81.5(d)(1)(A)), which is narrower than the CCPA’s definition. See Cal. Civ. Code § 1798.150(a)(1)).

Under this provision, consumers may seek actual damages or statutory damages between $100 and $750 per incident, whichever is greater. Cal. Civ. Code § 1798.150(a)(1)(A). In assessing the amount of statutory damages, courts shall consider any one or more relevant circumstances including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of misconduct, the length of time over which the misconduct occurred, the willfulness of the misconduct, and the defendant’s assets, liabilities, and net worth. Id. at § 1798.150(a)(2). Consumers also may seek injunctive or declaratory relief, or any other relief the court deems proper for such violations. Id. at § 1798.150(a)(B) & (C).

Before filing suit, however, a consumer must provide 30 days’ written notice to the business and a 30-day opportunity to cure. Cal. Civ. Code § 1798.150(b)(1). If the business cures the noticed violation within that time frame and provides the consumer an “express written statement that the violations have been cured and that no further violations shall occur,” the consumer cannot initiate an action. Id. If, however, the business’s violations continue, the consumer may initiate an action to enforce the express written statement and may pursue statutory damages for each breach of the written statement, as well as any other violation of the statute that postdates the written statement. Id.

The California Legislature recently passed its first amendments to the CCPA, making clear that this private right of action indeed only applies to data breaches. This is a point of contention for California Attorney General Xavier Becerra, who has urged legislators to further amend the law to allow consumers to seek legal remedies for themselves under the other provisions of the CCPA. For now, though, the private right of action is limited. It provides consumers with yet another statutory basis on which to assert claims arising out of data breaches. Moreover, the plaintiffs’ bar likely will try to argue that the CCPA’s statutory damages provision dispenses with their obligation to show actual injury and particularized harm.

Plaintiffs Likely Will Argue the CCPA Provides a Basis for Unfair Competition Law Claims

Other than the limited private right of action described above, the CCPA precludes individuals from using it as a basis for a private right of action under any other statute. See Cal. Civ. Code § 1798.150(c) (“Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”). While this language, on its face, may seem to prevent the CCPA from being used as a legal predicate for claims under consumer protection laws like the Unfair Competition Law (“UCL”), similar language has not deterred the plaintiffs’ bar in the past, and there is no question they will be eager to test its limits here.

A broadly-worded statute, the UCL provides a cause of action for business practices that are unlawful, unfair, or fraudulent. Cal. Bus & Prof. Code § 17200, et seq. The UCL remains a predominant vehicle for plaintiffs to enforce rights afforded by more fulsome regulatory schemes where they have suffered damages as a result of “unlawful” practices. This is because the UCL “borrows” violations of other laws and treats them as independently-actionable unlawful practices. Cel-Tech Commc’ns, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 180 (1999).

Generally, plaintiffs are prohibited from using the UCL to plead around an absolute bar to private relief. However, in recent years, we have seen that even statutes that do not expressly provide private rights of action may support claims under the UCL. See, e.g., Rose v. Bank of America, N.A., 57 Cal. 4th 390, 393 (2013) (allowing “unlawful” UCL claim for violations of the federal Truth in Savings Act despite no express private right of action because Congress intended for state laws to hold banks to equivalent standards); see also Zhang v. Super. Ct., 57 Cal. 4th 364, 368 (2013) (holding that the Unfair Insurance Practices Act’s bar against private actions did not prevent UCL claim based on grounds that are independent from the underlying statute even when the purported conduct also happens to violate it). Indeed, courts have reasoned that to forestall an action under the UCL, “another provision must actually ‘bar’ the action or clearly permit the conduct.” Rose, 57 Cal. 4th at 398 (quoting Cel-Tech Commc’ns, Inc., 20 Cal. 4th at 183).

In assessing the viability of future CCPA-based claims under the UCL, courts likely will focus on whether the legislature specifically intended to preclude its private enforcement. Because the CCPA specifically permits private actions based on data breaches, it seems probable the plaintiffs’ bar will assert that it provides an additional basis for UCL claims in data breach cases.

In addition, it remains to be seen whether courts will find the CCPA’s language sufficient to bar private suits based on violations of the law other than data breaches. For example, the Health Insurance Portability and Accountability Act (“HIPAA”) likewise does not provide for a private right of action – and the Department of Health and Human Services and states’ attorneys general are responsible for its enforcement – yet the Ninth Circuit has determined that a HIPAA violation can provide the basis for a UCL action. Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1082 (9th Cir. 2007) (applying California law in diversity case and holding that absence of private right of action under HIPAA does not foreclose UCL claim based on HIPAA violation).

Past experience with some other California statutes may provide useful authority for arguing that the language of the CCPA should be read to preclude CCPA-based actions under the UCL. For example, in the seminal case of Moradi-Shalal v. Fireman’s Fund Ins. Cos., the California Supreme Court held that the Unfair Insurance Practices Act, which does not expressly preclude a private right of action, bars claims based on alleged violations of that statute because the California Legislature contemplated only administrative enforcement by the Insurance Commissioner. 46 Cal. 3d at 305, 313 (1988), overturning Royal Globe Ins. Co. v. Super. Ct., 23 Cal. 3d 880 (1979). Similarly, the Federal Trade Commission Act does not expressly prohibit a private right of action, yet it has been interpreted to preclude such actions because its enforcement lies with the Federal Trade Commission. See O’Donnell v. Bank of America, Nat. Ass’n, No. 11-16351, 2013 WL 98554, at *1 (9th Cir. Jan. 9, 2013).

Here, the CCPA’s ultimate enforcement authority is the California Attorney General, and its present language disclaims its use as the basis for a private right of action under any other law. While companies possessing information of California consumers will have legitimate grounds to argue that the CCPA is an improper predicate for an “unlawful” claim under the UCL, it would nonetheless benefit businesses for the Legislature to further refine the provision and make that legislative intent even more express. In addition, the plaintiffs’ bar almost certainly will argue that the CCPA does not preclude consumers from bringing CCPA-based claims under the UCL if they can establish that the practice is unlawful, unfair, or fraudulent independent of the fact that it violates the CCPA. However, if a plaintiff lacks standing to bring a UCL claim in the first instance, nothing in the CCPA as worded would provide an independent basis on which to assert a claim.